Gentoo and Windows 8.1 secure boot setup

It’s been bugging me for a while, that I always have to choose my OS to boot via the EFI bootselector, if I could either use the Windows bootmanager or Grub2 to do this. Grub2 with the newest os-prober version does detect and create boot entries for Windows 8.1, but the Windows bootloader refuses to boot 🙁 (probably since secure boot is off). If I select the windows bootloader via EFI it works just fine.

Anyhow, I want to try to setup a secure boot system and see if chainloading the windows bootloader does work. (Spoiler: It does! :-))

Preparations

Installing and backing up

First install the package app-crypt/efitools, which pulls sys-boot/gnu-efi, both being keyworded, on your system. Problem with the efitools are that they do not detect the efivarfs properly (at least in portage’s version 1.4.2-r1). So I grabbed the ebuild from https://bugs.gentoo.org/show_bug.cgi?id=533572 and added it to my local portage. I also bumped the version of the ebuild to 1.5.3 which is the latest development version.

Rebooting and clearing secure boot storage

Now we need to reboot, enter EFI, clear the secure boot storage. Please do so, see you in a minute!

After clearing the secure boot storage efi-readvar will show this:

bentoo benjamin # efi-readvar
Variable PK has no entries
Variable KEK has no entries
Variable db has no entries
Variable dbx has no entries
Variable MokList has no entries

Updating secure boot storage

Now that the secure boot storage is cleared and EFI is in setup mode, let’s update the secure boot storage with our own keys. But first we’ll reload the old contents of KEK, db and dbx, which we saved off above, so that Windows will still be permitted to load under secure boot.

No such device error, etc

After working with the system for a while, regenerating the grub.cfg etc. pp and so forth, I again ran into the Error „No such device“ or „No valid filesystem“. The Solution to those were that I had to explicitly disable CSM in my EFI. Afterwards it worked like a charm again. Sometimes disabling and enabling secure boot help too, i do not know why.

BIOS/EFI Update

Today I was looking for a way to fix the above and found a new BIOS/EFI version for my Board. After updating I had to redo my settings 🙁 and the secure boot keys where gone. But luckily we saved them 🙂